<html>
<head><meta charset="utf-8"><title>registry authentication · t-cargo · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/index.html">t-cargo</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html">registry authentication</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="238156798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238156798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238156798">(May 10 2021 at 15:01)</a>:</h4>
<p>I've started an RFC for adding authentication to private cargo registries, and I'm hoping for some initial feedback before posting it as an official RFC.</p>
<p>Specifically, I'm interested in what people think of attempting to auto-detect when authentication is required (via receiving HTTP 401) as described in the Alternatives section vs the explicit configuration option.</p>
<p>I have a prototype implementation where this is working well combined with the http-registry feature.</p>
<p><a href="https://github.com/arlosi/rfcs/blob/always-auth/text/0000-always-auth.md">https://github.com/arlosi/rfcs/blob/always-auth/text/0000-always-auth.md</a></p>



<a name="238157610"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238157610" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238157610">(May 10 2021 at 15:06)</a>:</h4>
<p>not on the cargo team, but on the <a href="http://crates.io">crates.io</a> team</p>



<a name="238157653"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238157653" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238157653">(May 10 2021 at 15:06)</a>:</h4>
<p>I'm wondering... is there any rationale for having the configuration being on the user side instead of the index side?</p>



<a name="238157715"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238157715" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238157715">(May 10 2021 at 15:07)</a>:</h4>
<p>like having <code>"authenticate_all_api_requests": true</code> in <code>config.json</code></p>



<a name="238157877"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238157877" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238157877">(May 10 2021 at 15:08)</a>:</h4>
<p>When combined with the approved HTTP-registry RFC, the <code>config.json</code> would be in the index (which we also want to secure).</p>



<a name="238169035"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238169035" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238169035">(May 10 2021 at 16:13)</a>:</h4>
<p>If you set <code>net.git-fetch-with-cli</code> to true, direct (password and ssh) authentication is possible. If using ssh you have to specify the url as <code>ssh://git@github.com/org/index-repo.git</code> though and not as <code>git@github.com:org/index-repo.git</code>. Without <code>net.git-fetch-with-cli</code> you need to use either ssh-agent or git's <code>credential.helper</code>.</p>



<a name="238169633"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238169633" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238169633">(May 10 2021 at 16:16)</a>:</h4>
<p><span class="user-mention" data-user-id="270929">@Arlo Siemsen</span></p>



<a name="238170701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238170701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238170701">(May 10 2021 at 16:23)</a>:</h4>
<p>If <code>net.git-fetch-with-cli =true</code>, then requests to the index will be authenticated with git when git is used as the transport. But when we're fetching the index over http via the <a href="https://github.com/rust-lang/rfcs/blob/master/text/2789-sparse-index.md">sparse index</a> feature, there is currently no way to do authentication.</p>



<a name="238172861"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238172861" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238172861">(May 10 2021 at 16:37)</a>:</h4>
<p>@bjorn3 The idea proposed in this RFC, combined with the sparse_index RFC, would allow a private registry to be implemented using only HTTP (no git), and would only have one form of authentication (the token), rather than the token (for API) + git (for index) + temp credentials encoded in the download URL. I believe this would make it significantly easier to implement private cargo registry servers.</p>



<a name="238174826"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238174826" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238174826">(May 10 2021 at 16:50)</a>:</h4>
<p><span class="user-mention" data-user-id="270929">@Arlo Siemsen</span> is there any information on <code>config.json</code> that would need to be private?</p>



<a name="238176319"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238176319" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238176319">(May 10 2021 at 17:00)</a>:</h4>
<p><span class="user-mention" data-user-id="121055">@Pietro Albini</span>  Making <code>config.json</code> public would confirm the registry exists and expose the download URL, but that would probably be okay.</p>



<a name="238176413"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238176413" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238176413">(May 10 2021 at 17:01)</a>:</h4>
<p>the reason I'm asking is that on the <a href="http://crates.io">crates.io</a> side I'd like to <em>prevent</em> users from setting the "send creds" option on the client side :)</p>



<a name="238182146"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238182146" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238182146">(May 10 2021 at 17:38)</a>:</h4>
<p>One nit so far: Artifactory also supports Cargo <a href="https://www.jfrog.com/confluence/display/JFROG/Cargo+Registry">https://www.jfrog.com/confluence/display/JFROG/Cargo+Registry</a></p>



<a name="238184129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238184129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238184129">(May 10 2021 at 17:51)</a>:</h4>
<p>I do not yet feel qualified to design security related code. Latter this year I will be talking with some experts to be prepared to help with this topic. I do not at all mind people getting the conversation started! My feedback (and checkmark) will have to weight. Sorry.</p>



<a name="238189399"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238189399" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238189399">(May 10 2021 at 18:24)</a>:</h4>
<p>Thanks for taking a look <span class="user-mention" data-user-id="120179">@Eh2406</span>. Artifactory added support after I wrote this up. I'll make an update. </p>
<p>I've been talking with the Azure Artifacts team internally here at Microsoft to make a plan around adding Rust support. We'd like to avoid implementing the git-based registry if possible. An authenticated HTTP-based registry would integrate much better.</p>
<p>Is there a way I could participate in the implementation discussions? I'd like to help :)</p>



<a name="238195805"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238195805" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238195805">(May 10 2021 at 19:08)</a>:</h4>
<p>The best summery of the work planed for the HTTP-based registry is at <a href="https://github.com/rust-lang/cargo/pull/8890#issuecomment-822025708">https://github.com/rust-lang/cargo/pull/8890#issuecomment-822025708</a><br>
On the authentication side, Lets try to get all the people with expertise talking. An RFC seam like a good next step.<br>
My new job is at Amazon, and the experts I want to talk to are the CodeArtifact team. They have  made authentication work for lots of languages, and should have opinions on how not to do it. I am shore it is the same with the Azure Artifacts team.<br>
For both the HTTP-based and authentication efferts, none of the work will be done in private. But I will try to remember to ping you in particular.</p>



<a name="238199854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238199854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Pietro Albini <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238199854">(May 10 2021 at 19:39)</a>:</h4>
<p>I'd also like to be pinged for the infra/crates.io side</p>



<a name="238353823"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238353823" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238353823">(May 11 2021 at 17:46)</a>:</h4>
<p>(I felt bad about delaying your work.) One of the people I wanted to talk to was available to talk with me today.</p>
<blockquote>
<p>is there any information on <code>config.json</code> that would need to be private?</p>
</blockquote>
<blockquote>
<p>Making <code>config.json</code> public would confirm the registry exists and expose the download URL, but that would probably be okay.</p>
</blockquote>
<p>From that conversation. The existence of a registry can be private. The protocol we come up with must allow <code>config.json</code> to return 401, if authentication is missing.</p>
<p>He also pointed out that we need to be careful about what authentication Cargo sends if the server sends a redirect.</p>



<a name="238481128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238481128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238481128">(May 12 2021 at 14:18)</a>:</h4>
<p>Just remembered this one. He recommended that Cargo refuse to send creds when the url is unsecured HTTP.</p>



<a name="238501669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238501669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238501669">(May 12 2021 at 16:13)</a>:</h4>
<p>That seems like a really good idea.</p>



<a name="238501697"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/238501697" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#238501697">(May 12 2021 at 16:14)</a>:</h4>
<p>Requiring HTTPS before sending credentials makes sense.</p>



<a name="239264395"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/239264395" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> J. R. Pascucci <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#239264395">(May 18 2021 at 14:37)</a>:</h4>
<p>eh2406 sent me here: i just implemented a working change to cargo which lets it work with artifactory's crate support over https with tokens. I wasn't in love with several things and was expecting to have to change some things, but looking at it, I feel like some of this deserves rearchitecture and while I had some thoughts, I'm not sure I'm up for a whole big thing. (I'm waiting for our legal department to approve the outgoing source before I upload. It's a couple of dozen lines or so, should be pretty coherent, but I agree with doing an RFC to _at least_ decide what config names we support going forward).</p>



<a name="239265314"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/239265314" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> J. R. Pascucci <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#239265314">(May 18 2021 at 14:42)</a>:</h4>
<p>I guess my current gut reaction comparing what I wrote to reading the threads is that a limited and forward-compatible change is to add a configuration in credentials which has a list of header attributes (or use something like a template that can be filled in with a credential). That solves this problem without blocking the way forward for other, more desirable, solutions.</p>



<a name="239459811"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/239459811" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#239459811">(May 19 2021 at 16:57)</a>:</h4>
<blockquote>
<p>From that conversation. The existence of a registry can be private. The protocol we come up with must allow config.json to return 401, if authentication is missing.</p>
</blockquote>
<p><span class="user-mention" data-user-id="120179">@Eh2406</span> Thanks for starting the discussions on your side (and apologies for the delay in getting back to you).  After talking with the folks here as well, we also agree the existence of the registry needs to be private. So we cannot use config.json. The RFC I wrote up does allow that (since the configuration is all local). Also agree that we should limit it to HTTPS only and avoid authentication on redirects. I can add that to the RFC.</p>
<p><span class="user-mention" data-user-id="413254">@J. R. Pascucci</span>  Do you think we need more than the <code>Authorization: </code> header? The "token" is just the value of the Authorization header, and would support Bearer, Basic, or other authorization kinds.</p>
<p>I also have a simple change to Cargo that implements most of the RFC on top of the prototype http-index work by kornelski. I can share that if it would be helpful.</p>



<a name="239464603"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/239464603" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> J. R. Pascucci <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#239464603">(May 19 2021 at 17:28)</a>:</h4>
<p>For my purposes, answering that exact question: no. Except to say that it _does_ need to be triggerable/overridable via config or credentials file for my use case, instead of triggerable from the repo api itself (if that was in your proposal, I don't remember who wrote what). IMO, the more configurable (with reasonable defaults) the better. </p>
<p>For instance, there is a jfrog-api-token mechanism that other people might want to use, and the moral equivalent on other sorts of platforms, and for future-proofing for better creds, since we can just get arbitrary data via the credential-process now.</p>
<p>Among my concerns are </p>
<ul>
<li>In these parts of it, cargo has gotten into a situation where you can only override like half of half of the potential behaviors, and the other half are kind of hard coded, leading to divergent behavior like this, between registry api and download.</li>
<li>I was trying to figure out how to make the necessary changes even more useful for the work put into it: the other thought I had was doing some kind of templated thing instead of hard-coded header handling, where you could put multiple "kinds" of credentials from the credential-process or creds file for different operations, but that feels a bit like overkill, although it fixes the problem now and is flexible enough in the future.</li>
<li>
<ul>
<li>This is security-theoretically better, IMO, since most mechanisms have methods to log user of a particular kind of credential request, so if I have an automated CI script that usually does reads, but suddenly it starts asking for publish, that might be a security triggering item.</li>
</ul>
</li>
<li>
<p>I think there's some duplicate code and missing architectural glue - since you can override some behavior and not others, if you're going to suport private repositories, you need to do it in a way that puts the default on equal footing as the alternates, leading to a object heirarchy of alternate registries (again, overkill, but that's the sense of where it could go with more coherent refactoring)<br>
That missing glue is, I suggest, the source of why it's got this sort of blindspot of dealing with 'download' separately from the indices today - if everything all consistent, it would be fine, but they aren't, and this, IMO, was a big, gaping hole in functionality.</p>
</li>
</ul>



<a name="240504605"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240504605" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240504605">(May 27 2021 at 17:41)</a>:</h4>
<p><span class="user-mention silent" data-user-id="413254">J. R. Pascucci</span> <a href="#narrow/stream/246057-t-cargo/topic/registry.20authentication/near/239464603">said</a>:</p>
<blockquote>
<p>if that was in your proposal, I don't remember who wrote what.</p>
</blockquote>
<p>Yes, my proposal is to configure via local cargo config. You can see a link to the pre-RFC at the top of the thread.</p>
<p><span class="user-mention silent" data-user-id="413254">J. R. Pascucci</span> <a href="#narrow/stream/246057-t-cargo/topic/registry.20authentication/near/239464603">said</a>:</p>
<blockquote>
<p>That missing glue is, I suggest, the source of why it's got this sort of blindspot of dealing with 'download' separately from the indices today - if everything all consistent, it would be fine, but they aren't, and this, IMO, was a big, gaping hole in functionality.</p>
</blockquote>
<p>I think the main reason we have the inconstancy is because we're using <code>git</code> for the indicies. Using HTTP for everything (via the sparse index RFC) will help resolve this.</p>



<a name="240505642"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240505642" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240505642">(May 27 2021 at 17:48)</a>:</h4>
<p><span class="user-mention" data-user-id="120179">@Eh2406</span> I added a section to the pre-RFC about redirects and <code>https</code>. Do you have any other concerns?</p>
<p><a href="https://github.com/arlosi/rfcs/blob/always-auth/text/0000-always-auth.md">https://github.com/arlosi/rfcs/blob/always-auth/text/0000-always-auth.md</a></p>



<a name="240511161"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240511161" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240511161">(May 27 2021 at 18:32)</a>:</h4>
<p>I don't see the update. But I do not have anything that should block you moving on to a bigger discussion. Like a Pre-Rfc post on internals.<br>
I think in the cores of time there <em>will</em> be requests for finer grained controls. So if things are going to grow into being a wall of settings, then I want them to live in <code>config.toml</code>. The one thing that can't live in there is how to get the <code>config.toml</code>. I personally like the auto discovery variation. But someone is going to want to have a setting to skip the round trip, so putting that in <code>[registries]</code> makes sense.<br>
I will be continuing to have conversations with security experts about this, but having something public to point at will be helpful. Thank you.</p>



<a name="240516223"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240516223" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240516223">(May 27 2021 at 19:08)</a>:</h4>
<p>Sounds good. I'll move to a pre-rfc post later today.</p>
<p><span class="user-mention silent" data-user-id="120179">Eh2406</span> <a href="#narrow/stream/246057-t-cargo/topic/registry.20authentication/near/240511161">said</a>:</p>
<blockquote>
<p>I personally like the auto discovery variation. But someone is going to want to have a setting to skip the round trip, so putting that in <code>[registries]</code> makes sense.</p>
</blockquote>
<p>We could do something in <code>[registries]</code> like <code>auth=publish|auto|always</code>, where <code>publish</code> would work how cargo does today (only send the token for publish/yank), <code>auto</code> would first attempt to fetch <code>config.json</code> without the token, then attempt with the token if it gets HTTP 401, or <code>always</code> which would always send the token. The default would be <code>auto</code>. <br>
The built-in config for <a href="http://crates.io">crates.io</a> could be configured to <code>never</code> to address <span class="user-mention" data-user-id="121055">@Pietro Albini</span>  concern about preventing the token from being sent to <a href="http://crates.io">crates.io</a></p>



<a name="240518056"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240518056" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240518056">(May 27 2021 at 19:22)</a>:</h4>
<blockquote>
<p>I think in the cores of time there will be requests for finer grained controls.</p>
</blockquote>
<p>For example Git based protocols will want to be able to demand the auth for downloads. (<span class="user-mention" data-user-id="413254">@J. R. Pascucci</span> that is what you want yes?) And there is no reason for that to live in <code>[registries]</code> where a user could get it wrong. So that should be a setting in <code>config.json</code>. IMO</p>



<a name="240631787"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/240631787" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#240631787">(May 28 2021 at 16:57)</a>:</h4>
<p>I created an internals topic: <a href="https://internals.rust-lang.org/t/pre-rfc-cargo-alternative-registry-authentication/14794">https://internals.rust-lang.org/t/pre-rfc-cargo-alternative-registry-authentication/14794</a></p>



<a name="242795722"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/242795722" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Eh2406 <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#242795722">(Jun 15 2021 at 20:35)</a>:</h4>
<p>Thanks for posting the RFC! I will try to get some workmates to take a look at it!</p>



<a name="242941996"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/246057-t-cargo/topic/registry%20authentication/near/242941996" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Arlo Siemsen <a href="https://rust-lang.github.io/zulip_archive/stream/246057-t-cargo/topic/registry.20authentication.html#242941996">(Jun 16 2021 at 20:55)</a>:</h4>
<p>Thanks! For anyone else coming here looking for the RFC PR: <a href="https://github.com/rust-lang/rfcs/pull/3139">https://github.com/rust-lang/rfcs/pull/3139</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>